5.1.1 Ensure allow and deny filters limit access to specific IP addresses

Information

IP-based restrictions act as a defense in depth mechanism. They allow you to allowlist legitimate paths to your applications and explicitly deny IP addresses you believe to be malicious.

Rationale:

IP restrictions help you to only allow traffic based on the concept of least privilege. You may specify vlans, countries, or specific servers that may be allowed or denied on your site. It is recommended that you implicitly deny all traffic and only allow those with a legitimate use case to access your website if choosing to take this approach. This allows you to limit the surface area an attack may come from.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Compile a list of network ranges or IP addresses you would want to access your web server or proxy. Then add these ranges with the allow directive. The deny directive should be included with all IP addresses implicitly denied.

location / {
allow 10.1.1.1;
deny all;
}

Default Value:

This is not configured by default.

See Also

https://workbench.cisecurity.org/files/4212